z3k0sec
open main menu

My OSCP Journey of Persistence, Learning, and Growth

/ 10 min read

This year, I decided to pursue the OSCP certification to finally check it off my bucket list. Several industry professionals have told me that it can help bypass HR firewall to secure a job as a penetration tester.

I purchased the discounted Learn One subscription during Offsec’s Black Friday deals at the end of 2023.

The first week

During the first week, I dedicated most of my free time to working through the modules and labs provided by Offsec. I found the content engaging — it offers a solid overview of each module. While much of it was a repetition of concepts I was already familiar with, I did pick up some new insights along the way.

For note-taking, I used Obsidian in combination with Syncthing to sync my notes across multiple devices within my network.

Each module includes labs and exercises that need to be completed in order to earn 10 bonus points for the exam. To qualify, you must finish 80% of the module content and capture 30 out of the 57 flags in the exam labs. (Update: No more bonus points from 01 Nov 2024.)

By the end of the first week, I had completed around 40% of the material and felt quite confident. The process was straightforward: you read through the material, take notes, and practice by applying the theory in (real-world) scenarios. Then, you work through the lab modules, answer the questions, and keep progressing from there.

The rest of the month

For the rest of the month, I spent about two hours each day (excluding Saturdays and Sundays) working through the remaining material. Offsec provides a solid introduction to cybersecurity, covering learning strategies and the essentials of writing a penetration testing report.

The coursework begins with information gathering and vulnerability scanning, then moves into common web application attacks such as Local File Inclusion (LFI), Remote File Inclusion (RFI), and SQL injection.

I particularly enjoyed the labs on client-side attacks, which had a realistic feel and were quite engaging.

Subsequent sections focus on identifying public exploits, modifying them for specific cases, and conducting password attacks. I chose to skip the module “Antivirus Evasion”, as I’ve been told that it isn’t relevant for the exam.

The next modules cover common Windows and Linux privilege escalation techniques, followed by an introduction to port redirection, SSH tunneling, and a module on using Metasploit.

The only new material for me was the Active Directory section, which delves into AD enumeration, AD authentication attacks, and lateral movement within AD environments.

The final modules bring everything together by simulating a penetration test on a vulnerable machine. At the end, you’re introduced to the challenge labs, which closely resemble the experience you’ll face in the exam, especially in the OSCP A, B, and C sets.

Challenge Labs

The labs provide an excellent opportunity to put the knowledge from the modules into practice. You will get stuck. You may lose motivation, but don’t let it discourage you — stick with it and absorb as much as possible. If there are multiple ways to exploit a machine, try them all. Take detailed notes on each method, and keep learning and progressing. You will fail, but failure is a crucial part of the learning process.

This is where I spent most of the second month. I dedicated several days to working through the labs, spending at least 2-3 hours a day. Between lab sessions, I reorganized my notes and created cheatsheets for services, techniques and vulnerabilities I frequently encountered.

Don’t hesitate to ask well-thought-out questions in the Discord. Mentors and fellow students are usually willing to help, but don’t expect to be spoon-fed the answers. Always try to research on your own, then ask for guidance if needed.

The last month

In the final month, I focused heavily on solving Proving Grounds Practice machines. This allowed me to encounter a variety of services, explore different exploitation paths, and refine both my methodology and cheatsheets.

For each machine, I wrote a brief report, documenting everything from the initial Nmap scan to the foothold and privilege escalation phase. If any techniques or methods remained unclear, I would formulate questions, write them down, and either work through them on my own or seek help from the Discord community.

I completed the OSCP course within three months and felt confident enough to take on the exam. After booking my exam, I spent the next few days assisting others on Discord and organizing my notes. Two weeks later, I sat for the exam.

The exam day

I scheduled my exam for around 8:00 AM, brewed some hot coffee, prepared breakfast and lunch. I had already informed my family and friends that I wouldn’t be available for the next 24 hours.

For the exam, I used Windows 10 as my host system, running Kali Linux in a virtual machine via VMware Workstation, the same setup I had used during my preparation.

OffSec provides the exam infrastructure details a few days before the exam via email. The verification process at the start, which involved confirming my identity with a passport and ensuring I was alone in the room, took about 10-15 minutes.

08:15AM
I started with the Active Directory (AD) set, aiming for the 40 points you get by compromising the AD environment, including two clients and a Domain Controller. I started with an Nmap scan of the AD set, searching for vulnerable services to establish a foothold, but aside from an outdated web application that wasn’t exploitable, I found little to work with. I tried numerous public CVEs against the server version but had no success.

After 30 to 45 minutes, I decided to leave the AD set and focus on the standalone machines.

09:00AM
The first standalone machine was rooted in about 45 minutes — quick, straightforward, and similar to the ones I had practiced on in the Proving Grounds. Then, I took a short 10-15 minute break.

10:00AM
Returning to my workstation, I gave the AD set another shot, but every attempt failed. Realizing I needed to root the two remaining standalone machines to pass, I shifted focus. Each fully compromised machine is worth 20 points, and along with 10 bonus points, I needed 70 points to pass the exam.

11:00AM
The second machine took me longer — about 1 hour and 30 minutes, mostly spent on resetting the machine as certain services weren’t appearing in my Nmap scans.

01:00PM
After another break for lunch and coffee, I got back to work with one machine left. By this point, I had rooted two standalone machines within 4-5 hours, giving me 50 points (including the 10 bonus points).

With one machine left, I was already imagining how I’d spend the rest of my day, but things didn’t go as planned. The foothold on the final standalone machine was easy once I found the right public exploit, but the privilege escalation turned into a nightmare. I spent the next 4-5 hours going down a rabbit hole, trying everything I could think of. Nothing sticked.

06:00PM
I was hitting a wall, and after a few hours, I lost both motivation and energy. Feeling desperate, I went for a 2 hour nap to reset my brain. Then I tried tackling the AD set again, but gave up after several hours of unsuccessful attempts.

12:00AM
With only 8 hours left, I knew I had to root the last standalone machine to pass the exam. I threw every public kernel exploit I knew at the machine, but nothing worked. I found myself stuck in a rabbit hole, I was chasing dead-end exploits and overcomplicating things, completely missing the obvious solution right in front of me.

06:00AM
In the last hour of my OSCP exam, I realized I had missed something incredibly obvious and simple during the enumeration phase — a mistake that cost me 10 hours of frustration and almost led to failing the exam. It was a tough reminder of how critical thorough, methodical enumeration is to success in the OSCP and how even small oversights can turn into major setbacks. All it took was a quick basic privilege escalation - and finally, I got root.

Barely escaping that rabbit hole, I felt immense relief and satisfaction. With 70/100 points, I had just enough to pass.

07:00AM
Before ending the exam, I reviewed my notes and retraced all my steps — ensuring the entire exploit path, from enumeration scans to foothold and privilege escalation, was thoroughly documented and replicable. I made sure not to miss any screenshots and verified that all the steps could be reproduced. Everything was good to go.

08:00AM
I had never felt so tired, happy, exhausted, and relieved in my life. After all the struggles, finally getting enough points felt like the ultimate payoff for the hours of effort and stress. With the exam behind me, the next 24 hours were dedicated to writing the report.

The next day
OffSec provides their own Word template for writing a penetration testing report, but I chose not to use it. Instead, I wanted to leverage my Markdown notes in Obsidian rather than working with Microsoft Word or LibreOffice.

Initially, I planned to use a tool from GitHub: OSCP-Exam-Report-Template-Markdown. However, despite my best efforts, I couldn’t get it to work. The export feature kept failing with errors related to missing dependencies. I tried it on both Ubuntu and Arch Linux, but nothing I did generated a valid PDF report.

I really wish I had tested the tool before the exam. I was trying to avoid Microsoft Word since it tends to mess up formatting.

So, I had to come up with an alternative solution.

Thankfully, Obsidian has an export feature that produces decent-looking reports, and I hoped it would meet OffSec’s standards. A community plugin called “Automatic Table of Contents” allowed me to generate a reasonably polished table of contents.

To finish the report, I extracted the front page from OffSec’s official PDF document and merged it with the 48-page PDF I had generated.

Even though the content of the report was solid, I wasn’t entirely happy with the formatting — it didn’t feel good enough. I had my doubts, and waiting for the results was nerve-wracking.

In the end, though, I knew I had done everything right. All my steps were reproducible, I had included every necessary screenshot, and I had successfully compromised three standalone machines.

After seven days, I finally received the email confirming that I had passed. I’m now officially OSCP-certified.

OSCP Preperation Tips

  • Join the Discord: Engage with the community for support and advice.
  • Complete the Course Material: Follow the curriculum thoroughly.
  • Practice, practice, practice: Hack various environments to solidify your skills.
  • Take Detailed Notes: Document everything meticulously.
  • Develop Your Methodology: Refine your approach to penetration testing.

OSCP Exam Tips

  • Make use of your machine resets if you feel that services do not work as intended.
  • Enumerate the targets thoroughly, enumerate, enumerate, enumerate!
  • Take breaks often and go for a short walk to reset your brain
  • If you’re stuck for hours, you’re likely in a rabbit hole.

Conclusion

Overall, I found the OSCP course and exam to be an excellent experience. It was undeniably exhausting and stressful, filled with moments of frustration and doubt. Yet, it was also incredibly rewarding, teaching me invaluable lessons about resilience and persistance. Despite the challenges, I’m grateful for the journey and proud of what I accomplished.